What does malicious iFrames virus do?

Discussion in 'other anti-virus software' started by Hippocrates, Sep 22, 2010.

Thread Status:
Not open for further replies.
  1. Hippocrates

    Hippocrates Registered Member

    Joined:
    Dec 21, 2008
    Posts:
    12
    My understanding of iFrames virus from Googling is that once a user browses to an infected website, the script will trigger the download of malwares automatically without the user's consent.

    I'm using NIS 2011 and Google Chrome. I noticed that while both of them could block a number of known infected websites, there are some malicious websites that both didn't block.

    Is there a chance such malwares could also be auto-executed (other than being downloaded) and cause an infection on the host computer like modifying system settings and files? Will I be protected even if NIS doesn't notify me of any attack, or is it overkilled to surf internet inside a sandbox?
     
  2. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    Drive-by download and drive-by install are almost the same process since malware has to run in order create damage. So it has first to get downloaded ( whole or part of the malicious code/sequence/software ) and then it runs...often automatically or even with the help of the user...example...trying to close a fake pop up window etc.

    Generally you'll be protected if NIS detects the threat. If not...and if your only protection layer is NIS...then you are not protected. But before saying so you have to consider that a security software could alert you using some kind of web shield while you visit a malicious site or by scanning all the downloaded files. I mean that even if a security software does not detect or knows a malicious site, should know the malicious downloaded file. So if you are sure that a certain site is malicious and you get no alert then and only if you are 100% sure that the site is malicious and you notice various malicious activity on your pc, you can say that NIS did not protect you.

    Surfing the web with a sandboxed browser is one of the best security habits you may have.
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Hi, i don't use chrome so can't comment on it. However i do use FF with NoScript which has excellent iframe blocking, amongst lots of other things :thumb:

    Also my AV Avira also is very good at blocking these malicious attacks too.

    I know the above aren't what you're using, but i'm posting as a FYI and for others too ;)
     
  4. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    In theory Chrome should provide better level of protection for attacks coming via web. But still Chrome is not immune and has security holes. So there is the always present issue: If the malicious web site knows how to trick your browser and your AV does not know the threat then you're fried.
     
  5. Hippocrates

    Hippocrates Registered Member

    Joined:
    Dec 21, 2008
    Posts:
    12
    Thanks for your detailed explanation. I always thought that my computing habit is kind of safe as I only execute/install well-known programs from authentic sources, but after reading a few articles on iFrame virus, I'm not so sure anymore. Hackers could inject malicious code into seemingly normal website and lure the unsuspecting users to download certain viruses.

    What I'm wondering is... let's say the virus is being downloaded automatically by the scripts and not being caught by the antivirus, is there such an avenue or function in the web browser (i.e. Chrome) for it to be executed automatically without informing me? or would it just sit in my cache and won't do any harm if I'm not dumb enough to execute it? Normally a downloaded program needs to be launched manually by the user, or else it won't execute itself. Are those iFrame viruses an exception that they can execute themselves or fool the browser to execute them without acknowledging me? o_O o_O

    It's true that my only layer of security is NIS. :) There were occasions that NIS did not alert me when I visited some malicious links (posted in a security forum) but I had not for once found my computer behaving weird. That's why I was wondering if Google Chrome refuses the iFrame viruses a privilege to auto-execute themselves, hence meaning that I'm actually protected despite there's no protection from the antivirus at that moment.

    Otherwise, I really may have to install a sandbox though it sounds a bit paranoid to me.
     
  6. Hippocrates

    Hippocrates Registered Member

    Joined:
    Dec 21, 2008
    Posts:
    12
    Thanks for your suggestions. I used Firefox and Avira in the past but not now anymore. :) As for NoScript, I installed it once just to test but somehow a few of my regular websites didn't appear normal after that, so I believe it was also blocking some "desirable" scripts. Hence, I'm not too sure if I should install NoScript when it has been ported as an extension for Chrome.
     
  7. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    Yes Chrome's sandboxing functions will protect you. The problem is ( like I mentioned above ) that Chrome itself and your operating OS are not bulletproof so an author of malicious code could take advantage of a hole and manage to pass Chrome's sandbox and then defeat the OS protections ( not an easy thing but could happen ). I've also mentioned above that in theory Chrome provides better protection.

    I don't want to alarm you...in most cases NIS and Chrome will protect you perfectly.

    Also check this: http://blog.chromium.org/2008/10/new-approach-to-browser-security-google.html ( pay attention to the last paragraph: "What are the limitations?" )
     
  8. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
  9. 3GUSER

    3GUSER Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    812
    @Hippocrates

    Hello! Generally Norton works better with Internet Explorer and Mozilla Firefox . That is because Norton uses 2 layers of browser protection :
    Download Insight in version 2011 works with Chrome , too . However , IPS and SafeWeb are not integrated with Chrome as they work as BHOs in IE and add-ons in Firefox.


    Additional information :

    Safe Web
    http://en.wikipedia.org/wiki/Norton_Safe_Web

    Intrusion Prevention

    Example of Norton IPS blocking access to a site that attempts drive-by download of malicious file:
     

    Attached Files:

    Last edited: Sep 22, 2010
  10. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    There are some people at this forum who, knowing what is possible use multi layers of virtualization.
    Peter2150 to name one.
    For example, they will use Sandboxie running on Returnil.
    Or Sandboxie running on x, y, or z.
     
  11. Hippocrates

    Hippocrates Registered Member

    Joined:
    Dec 21, 2008
    Posts:
    12
    Guess I'm outdated, I had been reading forum and I kept seeing people mentioning there's no NoScript for Chrome. :)

    Well, I'll think about installing Sandboxie (or not to). Naturally I would like to keep the security layers to be minimum. If NIS and Chrome could do the job sufficiently, I wouldn't want to buy Sandboxie just to prevent a possibly super-rare event where a virus could penetrate Chrome's sandbox, Windows protection, and NIS.

    I think I'm already paranoid enough to backup my system so often!!!
     
  12. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Sorry! I forgot to mention that I use the free version of Sandboxie :oops:
     
  13. Hippocrates

    Hippocrates Registered Member

    Joined:
    Dec 21, 2008
    Posts:
    12
    Hi 3GUSER,

    I would love to have IPS and SafeWeb, but IE and Firefox are not an option for me. I used Firefox for years until I feel that I couldn't bear its sluggishness on my laptop especially when dealing with multiple tabs.

    Anyway, I tried your link where Norton IPS protects. :p:p:p just for the sake of experimenting, knowing that I've a good copy of system backup.

    Google identified it as malicious website and blocked it... even after pressing "proceed" on two occasion, somehow, the "antivirus.exe" virus file couldn't be downloaded at all, needless to say being executed. :) I've no idea what's going behind the scene as I'm not proficient in IT but I guess to a casual user, that means there were some forms of protection with Chrome.

    I'm only worried about auto-download and auto-execution of script virus. If user's consent is required for execution, I guess I'll be pretty safe.
     
    Last edited: Sep 22, 2010
  14. Hippocrates

    Hippocrates Registered Member

    Joined:
    Dec 21, 2008
    Posts:
    12
    If I'm ever going to use Sandboxie, I'll definitely buy a license. The extra feature that you can force all browsers/any application to run in the sandbox is too good to be missed. That's another layer of protection against user's carelessness. :)
     
  15. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Well, I have a licensed copy of Sandboxie, but the way I see it is if a user is too lazy/careless to right-click a browser icon and select "run sandboxed", they have problems already :) There's one thing and one thing only that separates free from paid and makes a difference, the ability to have more than 1 sandbox open at a time. I HATE that restriction, it's a sure-fire way to get someone to eventually pay.

    On topic though, I don't think I've seen an IFRAME for a while, let alone an attack using it.
     
  16. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Firefox w/NoScript (forbid IFRAME enabled) Sandboxed and you are done.
    Try FF and NS again and do your self a favor and start using SBIE. It does
    not matter whether is the free or paid version, both would protect you the
    same and will help you have a more enjoyable browsing since you will not
    get paranoid anymore.

    Bo
     
  17. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA
    Hello,

    Firefox + NoScript + Sandboxie + a good AV is the way to go.

    If you feel uncomfortable noticing that some web-sites do not work properly due to Java Script being blocked by NoScript running on FF you may as well grant permissions to those particular web-sites so they can display content that you are not able to see due to NS.

    Now, if the web-site that you have already granted permission through NoScript had already been compromised, then you are in trouble because harmful iFrames can attack you through Java Runtime + Adobe Flash Player + Adobe Reader vulnerabilities.

    I've seen this myself while experimenting with the so called Exploit Kits [ Eleonore, Phoenix, CrimePack, Siberia, etc. ]

    Thus, if you think you're going to grant permissions to web-sites through NS then you also need Sandboxie. If the web-site is “behaving badly”, then by running FF within a Sandbox can save you headaches. The iFrames could still attack your browser and even crash it but it will be confined to the Sandbox.

    So, recapping: run FF +NS and do it with FF running sandboxed in case that the web-site you granted permissions has already been compromised.

    Carlos



    P.S.: I run a paid version of SB but I installed the unpaid version on my sister's laptop and while she's running a sandboxed FF she has been able to open the IE also sandboxed. I might be mistaken but if that is the case then more than 1 application can be run sanboxed simultaneously with the non-paid version.
     
  18. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    I think that is quite correct. One can run several programmes sandboxed at the same time in the free version. The main difference is that the paid version allows you to have several different sandboxes at the same time. The user could then empty one or more but not the other(s).
     
Loading...
Thread Status:
Not open for further replies.